http://www.buffalonews.com/145/story/296415.html
By Jonathan Epstein
The Buffalo News
03/11/08
HealthNow New York has alerted 40,000 members in Western and
Northeastern New York that they may be at risk for identity theft, after
a former employee’s laptop computer went missing with confidential
information several months ago.
The Buffalo-based parent of Blue- Cross BlueShield of Western New York
sent letters late last week to the affected customers, even though
officials are still not certain what, if anything, was on the computer.
Based on the company’s investigation, the potential information includes
names, dates of birth, Social Security numbers, addresses, employer
group names, and health insurance identifier numbers. However, there was
no health or medical claims information involved, spokeswoman Karen
Merkel-Liberatore said late Monday.
HealthNow has arranged for any affected member to receive a one-year
free membership in Equifax Credit Watch, to monitor for identity theft.
But the company has no plans to re-assign new health insurance
identification numbers en masse, though it will do so at the request of
any individual members, Merkel-Liberatore said.
“At this point, I don’t believe we’ve had any requests to do that,” she
said. “If they feel more comfortable changing their identification
number, we could certainly do that.”
She stressed, however, that it’s unlikely anyone could or would use the
information to find out about a member’s health status or obtain
healthcare in their name, since most doctors and hospitals ask for the
membership card before providing care.
The laptop was not encrypted, but does have security features, including
the requirement to enter the user’s identification number and passcode
after 15 minutes of inactivity. Also, the company shut down the laptop’s
access to the corporate network, and has not detected any activity from
the laptop since the disappearance.
The employee is no longer with HealthNow, having accepted a position at
another company out of state, but the insurer is still in contact. “We
definitely have taken this matter very seriously,” Merkel-Liberatore
said.
This is the latest example nationwide of a computer security breach
involving confidential personal information that could be used to commit
identity theft, although that doesn’t necessarily happen. Lost laptops
and computer backup tapes or disks in transit have been a particular
source of problems, as companies increasingly use such “mobile devices”
and storage that often is not as secure as the primary in-house computer
servers.
Tens of millions of U.S. consumers have been affected in recent years by
breaches involving more than 100 million accounts at banks, merchants,
health insurers, hospitals and government agencies in recent years. The
biggest, involving retailer T.J. Maxx parent TJX Cos., hit 45.7 million
people in late 2006.
In HealthNow’s case, the company is reconfiguring its claims software
system, and the employee had downloaded some member information to his
laptop while working on the project so he could work either in building
or at home. The laptop was reported missing in late fall, but the
company did not notify customers until now because officials wanted to
make sure whether such action would be necessary.
Instead, officials first “spent an exhorbitant amount of time” to try
and locate the laptop, which they still believe is in the company’s
building, Merkel- Liberatore said. Only “when it was apparent we
couldn’t find it” did officials try to narrow down what information
might have been lost, she added.
Using the company’s shared drive and with the cooperation of the
employee, officials retraced his path to determine what information he
was working with. The company then set up the credit-monitoring, and
began contacting members last Thursday and Friday.
“We didn’t want to have to reach out to our members and cause them
unnecessary worry until we knew the potential of what we were dealing
with,” she said. “With all of the factors and orchestrating credit
monitoring, we do believe our response time has been reasonable.”
The company has also tightened its policies and procedures about use of
laptops and other mobile devices “to ensure that the policies are more
strict,” she said. She added that officials are also encrypting all
information on laptops “to prevent this situation from recurring.”
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments